AWS Configuration

If this is the first time you are using the SQS, it is strongly recommended to go through Quick start with SQS first.

SQS (Simple Queue Service): This queue stores one message at any given time. It contains “the last time (in Zulu format)” the script ran to collect the events from Halo. The message is then deleted and new one (with the current time in Zulu format) is added into the queue.

The queue is automatically created the first time you run the Halo_events_to_SumoLogic Lambda code.

Lambda Functions

If this is the first time you are using the Lambda, it is strongly recommended to go through Quick start with Lambda first.

Recommended configuration

Download the Python code from the following two zip file links:

Halo_events_to_SumoLogic.zip - Python Lambda code to collect Halo events and forward them to Sumo Logic. This Python Lambda code would use Halo’s API to collect the security events reported by the agents installed in your workloads. It takes the “last time” the Lambda code ran from the SQS. Then initiate API call(s) to request any events that has been reported between the “last time” the Lambda code ran and the current time. It uses the SQS to store the “last time” the event was collected.

Halo_metrics_to_SumoLogic.zip - Python Lambda code to collect Halo metrics and forward them to Sumo Logic. This Python Lambda code would use Halo’s API to collect the key stats from your Halo account.

Configure AWS Lambda for Halo_events_to_SumoLogic

Change Code entry Type to Upload a .ZIP file. And upload the Halo_events_to_SumoLogic.zip file. Then enter in the environment variables with proper values (refer to the steps above).

Fill in the information to match the screenshot below. Enter halo_events_to_sumologic.lambda_handler for Handler. Then select “Create a custom role” for Role.

Fill in the information to match the screenshot below. Select “Choose a new IAM Role” for IAM Role and lambda_basic_execution for Role Name.

Change the Timeout to 4 minutes under Advanced Settings.

Verify all the information is entered correctly. Then click Create Function to proceed.
The screenshot does not have values for the Environment Variables. But you should have entered it with your information.

Now we need to create an IAM role. Select IAM.

Select lamda_basic_execution role that was created in the previous step.

Select AmazonSQSFullAccess and AWSLambdaBasicExecutionRole for the policies. If you don’t have these policies, refer to the AWS manual and next few steps to create them.

Here is the sample policy for the AmazonSQSFullAccess. Make sure you change the permission to meet your security requirements.

Let’s test the Lambda code. Click on Test and then Save and test to start the code.

If it is configured properly, it should create the SQS queue for you. And the outcome should look something similar to below. Result should show you the time in Zulu format and Log Output should include [create_queue].

If you check the SQS dashboard, you will see the new queue, last_time_scan, has been created for you automatically.

Let's create a trigger for our Lambda code. I want this code to run every 5 minutes. Select Triggers from the tab. Then click Add trigger.

Then click on the blank square to bring out the pulldown menu. Select CloudWatch Events - Schedule.

Fill in the information and make sure you set the Schedule expression as rate(5 minutes).

A successfully configured trigger will have a success message and appear similar to the trigger below.

You are done for the first Lambda code! You can follow the same steps to configure Lambda for Halo_metrics_to_SumoLogic.